On Wed, 8 May 2024 at 02:33, Justin Mclean <jmcl...@apache.org> wrote:
> Hi, > > The Cassandra download page [1] includes signature files, but you also > need to include a link to the KEYS files to verify these. Relevant ASF > policy is here [2]. > > Trying the verify the latest source release, it fails with this error: > gpg: assuming signed data in 'apache-cassandra-5.0-beta1-src.tar.gz' > gpg: Signature made Sat 2 Dec 00:13:44 2023 AEDT > gpg: using RSA key A4C465FEA0C552561A392A61E91335D77E3E87CB > gpg: BAD signature from "Michael Semb Wever <m...@thelastpickle.com>" > [unknown] Thanks for catching this. The signature on the 5.0-beta1-src tarball is confirmed wrong. This problem doesn't exist on other source release artefacts, as far as I have checked. I'll fix the downloads page. Not sure what we do about 5.0-beta1-src. Below is the correct signature, which can be also verified against the staged artifact we voted on in svn history: https://dist.apache.org/repos/dist/!svn/bc/65840/dev/cassandra/5.0-beta1/ ➤ cat apache-cassandra-5.0-beta1-src.tar.gz.asc -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEpMRl/qDFUlYaOSph6RM1134+h8sFAmY7SgkACgkQ6RM1134+ h8svDg//UnyVuxiGFfJEqYoi7JMT/korqnOPTiiouGZIlAJtnjVNAEvzUp8k407M 9RpQPSyUwM1NWlicGmE0w69+s2NOTKiIIGuDIiUTqWPzT48MTOfS7VFZxpkty9uD lHyXPc4F3JGezwPX+iMs/ABA2sykxIIQMI+UsQzLMc3470JM3UqPlO0F8Zlh6nA+ 0uee2vM0aFJpa6e7zOG5xLRSAoVhSO1RR0gXm40uowtMvMdxYOLrlmOeXx4EDcbP A4YAtc2SSUX07cu7HfSski7luSSStSLUXFl+0XUZ2RXjSUCcpxuea1pZ1PKH15vC wA2Tl1Ro6MezGDFEvNnC4tM4YUvVC/wtbSYFG+ep1lqAKoR0mYa+jVjWss6qI0sR sSlD3m6p/XKhWV0oTcSBNJ+bBawFFFhDqS/xIXtUQWf/mVfeDOt67662epaaqYmC m6oN+iUlBeree/lBi32cg6rMc8TgI7gKmQpHSe4pX0avJoCbyt7akCpIgO0RgmDC caSwY7CumrYQ36DB21xL8bripp0IVlC5hD0HRsQ2ODqmIgcf3t5w4/90aSMMQaby cyKFKfYAD+0GzH2ZZ5jCOpQcMMMu1lrXByNRahNBBM5TOnw+3xSsMGe3X0AY80As PWl9s+aTLajbcI9NZ97Xszb5RwfzCm7u3O+41dtmEUeKoCOj7o8= =Z4Ey -----END PGP SIGNATURE-----
